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SUMMARY We consider the mismatched measurements in 
the BB84 quantum key distribution protocol, in which measur- 
ing bases are different from transmitting bases. We give a lower 
bound on the amount of a secret key that can be extracted from 
the mismatched measurements. Our lower bound shows that 
we can extract a secret key from the mismatched measurements 
with certain quantum channels, such as the channel over which 
the Hadamard matrix is applied to each qubit with high probabil- 
ity. Moreover, the entropic uncertainty principle implies that one 
cannot extract the secret key from both matched measurements 
and mismatched ones simultaneously, when we use the standard 
information reconciliation and privacy amplification procedure. 
key words: BB84, mismatched measurement, quantum key dis- 
tribution 

1. Introduction 

The BB84 protocol [1] is one of the most-known pro- 
tocols for quantum key distribution. In this proto- 
col, the sender, Alice, sends qubits in one of four 
quantum state vectors |0), |+) = (|0) -I- |1))/V2, 
I-) = (|0) - \1})/V2, where {|0), |1)} forms an or- 
thonormal basis. Then the receiver. Bob, measures the 
received qubits with either {|0), |1)} or {|+), |— )} ba- 
sis. After that, Alice publicly announces to which {|0), 
|1)} or {|+), |— )} basis each qubit belong. Bob discard 
the measurement outcomes whose bases do not contain 
the transmitted qubit. We call such measurement mis- 
matched measurement in this paper. After that, Alice 
and Bob perform the information reconciliation and the 
privacy amplification to obtain the same secret key as 
described in [12]. 

As far as the authors know, there is no literature 
that clarifies the amount of key that can be extracted 
from mismatched measurements in the BB84 protocol, 
though Pawlowski [10] studied the same problem with 
a protocol completely different from the BB84. The ef- 
ficiency of a quantum key distribution (QKD) protocol 
is measured by the ratio of extracted bits of secret key 
per remaining bits not disclosed nor discarded, which is 
called key rate. We shall show a lower bound on the key 
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rate that can be extracted from mismatched measure- 
ments in the BB84 protocol. Moreover, we shall show 
that, when we use the standard information reconcil- 
iation and privacy amplification in [12] and the well- 
known lower bound on the key rate [4], the entropic 
uncertainty principle [8] implies that one cannot ex- 
tract the secret key from both matched measurements 
and mismatched ones simultaneously. 

The reader may think that the probability of get- 
ting the measurement outcome |-|-) is always 0.5 when 
the transmitted qubit is |0), and considering mis- 
matched measurement outcomes is useless and non- 
sense. We cannot extract a secret key from mismatched 
measurement outcomes when such a probability is 0.5. 
However, consider the quantum channel over which the 
Hadamard matrix is applied to each qubit with high 
probability. With such a quantum channel the above 
probability is close to or 1. The lower bound ob- 
tained in this paper shows that we can extract a secret 
key from mismatched measurement outcomes with such 
a quantum channel. 

This paper is organized as follows: Section 2 
presents a variant of the BB84 protocol. Section 3 veri- 
fies its unconditional security and shows a lower bound 
on its key rate. Section 4 shows that the lower bounds 
on the key rates available from matched measurements 
and mismatched ones cannot be simultaneously pos- 
itive, by using the entropic uncertainty principle [8]. 
Section 5 gives concluding remarks and lists several 
open research questions. 

2. Protocol 

In this section, we shall show a variant of the BB84 pro- 
tocol that tries to extract secret key from mismatched 
measurement outcomes. We define the matrices X and 
Z representing the bit error and the phase error, re- 
spectively, as 

A|0) = |1), A|1) = |0), 
Z|+)^|->, Z\-) = \+). 

1. Alice makes a random qubit sequence according 
to the i.i.d. uniform distribution on {|0), |1), |+), 
|— )} and sends it to Bob. 

2. Bob chooses the {|0), |1)} basis or {[+), |— )} basis 
uniformly randomly for each received qubit and 
measure it by the chosen basis. 
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3. Alice publicly announces which basis {|0), |1)} or 
{|+)> ^Sich transmitted qubit belongs to. Bob 
also publicly announces which basis was used for 
measurement of each qubit. In the following steps 
they will only consider qubits with which trans- 
mission basis and measuring bases do not coincide 
between Alice and Bob. 

4. Suppose that there are 2n qubits transmitted in 
the {|0), |1)} basis and measured with the {|+), 
|— )} basis by Bob. Index those qubits by 1, . . . , 
2n. Define the bit = if Alice's i-th qubit was 
|0), and Ui = 1 otherwise. Define the bit h = 
if Bob's measurement outcome for i-th qubit was 
1+), and bi = 1 otherwise. 

5. Suppose also that there are 2n' qubits transmitted 
in the {1+), |— )} basis and measured with the {|0), 
|1)} basis by Bob. Index those qubits by 1, . . . , 
2n' . Define the bit = if Alice's z-th qubit was 
|+), and ttj = 1 otherwise. Define the bit A = 
if Bob's measurement outcome for i-th qubit was 
|0), and (3i = 1 otherwise. 

For the simplicity of the presentation, we shall describe 
the procedure extracting the secret key from Oj and 6j. 
The key rate for ai, Pi will turn out to be the same 
as that for Oi, hi at the end of Section 3.2. In the 
following steps, the half of measurement outcomes will 
be disclosed and used for estimation of error rates qx 
and qz- The amount of disclosure can be arbitrarily 
chosen provided that the estimation of error rates can 
be done sufficiently accurately. 

6. Alice chooses a subset S <Z {1, . . . , 2n} with size 
\S\ = n uniformly randomly from subsets of {1, 
. . . , 2n}, and publicly announces the choice of S. 
Alice and Bob publicly announce a, and bi for i & S 
and compute the error rate 



Qx 



\{ieS\a^^bi}\ 



(1) 



7. Alice chooses a subset S' C {1, . . . , 2n'} with size 

\S'\ = n' imiformly randomly from subsets of {1, 
. . . , 2n'}, and publicly announces the choice of 5". 
Alice and Bob publicly announce and /Jj for i e 
S' and compute the error rate 



\{i&S' \ai^l3i}\ 
\S'\ 



(2) 



8. Alice and Bob decide a linear code Ci of length 
n such that its decoding error probability is suffi- 
ciently small over all the binary symmetric channel 
whose crossover probability is close to qx ■ Let Hi 
be a parity check matrix for C\, a be Alice's re- 
maining (not announced) bits among a,'s, and b 
be Bob's remaining bits among biS. 

9. Alice publicly announces the syndrome Hid. 

10. If qx > 0.5 then Bob negates every bit in b before 
executing the following steps. 



11. Bob compute the error vector / such that Hif ~ 
Hih — Hia by the decoding algorithm for Ci. With 
high probability b — f = a. 

12. Alice chooses a subspace C2 C Ci with dimC2 = 
nh{qz) uniformly randomly, where h denotes the 
binary entropy function, and publicly announces 
her choice of C2. The final shared secret key is the 
coset a + C2 . 

When measuring bases are the same as the trans- 
mitting bases, we can use the standard BB84 protocol. 
Thus, we discard no measurement outcome when we 
combine the above protocol with the standard BB84. 

3. Security proof and a lower bound on the key 
rate 

We shall verify the unconditional security of our pro- 
posed protocol by directly relating it to the quantum 
error correction by the quantum CSS (Calderbank- 
Shor-Steane) codes [2], [13]. To make this paper self- 
contained, we shall briefly review the CSS code. After 
that we shall relate our variant of the BB84 protocol 
to the CSS code in a similar way to Shor and Preskill 
[12]. 

3.1 Review of the CSS code 

For a binary vector v = {vi, w„) e F2, where 
F2 is the Galois field with two elements, we define the 
quantum state vector \v) by 

\v) = \vi) (g) • • • (g) \Vn). 

For two binary linear codes C2 C Ci C Fj, the CSS 
code is the complex linear space spanned by the vectors 




for all V G Ci. We also need parameterized CSS codes 
introduced in [12]. The parameterized CSS code for 
x,z GF2 is defined as the linear space spanned by 



1 



(3) 



for all V e Ci, where (•, •) denotes the inner product. 

3.2 Security proof and analysis of the key rate 

We shall first show that our protocol is equivalent to 
sending a parameterized CSS codeword with the pa- 
rameter z randomly chosen. If we fix v and x and 
choose z uniformly randomly in Eq. (3), then the re- 
sulting density operator is 
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\w2eC2 J 

= ^ \x + v + w){x + v + w\, (4) 

by the exactly same argument as [12]. 

Denote the right hand side of Eq. (4) by p{x,v). 
By a straightforward computation we can see 

The right hand side of Eq. (5) means sending |0) or |1) 
n times with equal probability, which is exactly what 
Alice is doing in our protocol. Announcing the syn- 
drome i?iO in Step 9 is equivalent to announcing which 
X is chosen. 

Consider the Hadamard matrix H defined by 
H\0) = 1+) and H\l) = |— ). Consider the memoryless 
quantum channel T over which the error HX occurs 
with probability rx, HZ occurs with probability rz, 
HXZ occurs with probability rxz, and H occurs with 
probability I — rx — rz — rxz, with qx = rx + rxz 
and qz = rz+rxz- The qubits received by Bob can be 
regarded as the output of F when Alice sends |0) and 
|1) with equal probability, which is equivalent to send- 
ing a quantum codeword in the CSS code as described 
above. 

If we apply to each qubit, then the quan- 

tum channel can be regarded as causing the X error 
with probability rx, the Z error with probability rz, 
and the XZ error with probability rxz- Therefore, 
if we use the standard decoding procedure of the CSS 
code after applying H^^ to each qubit in the received 
codeword, then the transmitted CSS codeword is re- 
covered with high fidelity provided that qx < 0.5 and 
qz < 0.5. Observe also that this imaginary quantum 
decoding process is equivalent to what is actually per- 
formed in our variant of the BB84 protocol described 
in Section 2 by the almost same argument as [12]. 

When qx > 0.5 and qz < 0.5, applying X to each 
qubit in the received codeword after makes qx to 
I — qx and leaves qz unchanged. When qx < 0.5 and 
qz > 0.5, apply Z to each qubit, and when qx > 0.5 
and qz > 0.5, apply XZ. By the above operations we 
can regard both qx and qz being less than 0.5 provided 
that qx 7^ 0.5 and qz ^ 0.5. Observe that application 
of Z is purely imaginary and does not correspond to the 
actual operations in the protocol in Section 2. On the 
other hand, application of X corresponds to flipping 
each bit in Step 10 in our protocol. Application of XZ 
is equivalent to that of X in the actual protocol. 

We have shown that the procedure in Section 2 can 
be regarded as the quantum error correction of the CSS 
code over a peculiar quantum channel F. It was shown 
in Corollary 2 of [3] that there exists a linear code Ci 



of information rate 1 — h(qx) satisfying the condition 
in Step 8. If we use such Ci then we can correct HX 
errors on F with high probability. 

It is stated in [12] and proved in [14] that random 
choice of [n — n/i(q'2)]-dimensional subspace C2 in C\ 
almost always gives the low phase error decoding prob- 
ability in the standard CSS decoding procedure. This 
implies that randomly chosen [n — n/i(g2)]-dimensional 
subspace C2 in Ci can almost always correct HZ er- 
rors on r. Therefore, if the choice of C'l is appropri- 
ate, then the fidelity of quantum error correction in 
the imaginary transmission of the CSS codeword (3) 
over the channel F is close to 1, which implies that the 
eavesdropper Eve can obtain little information by the 
same argument as [5], which shows the security of the 
BB84 protocol directly relating it to the quantum er- 
ror correction without use of entanglement distillation 
argument. 

Therefore, we can extract 1 — h{qx) — h{qz) bit of 
secret key from one bit of the raw bits a. With a similar 
argument, we can also see that the key rate available 
from aj's is 1 — h{qx) — h{qz)- Because with the key 
rate from a,'s the roles of qx and qz are interchanged, 
which does not change the key rate 1 — h{qx) — h{qz)- 

4. Implication by the uncertainty principle 

At the end of Section 2, we stated that we try to extract 
a secret key from both matched measurement outcomes 
and mismatched ones. In this section, we shall consider 
the relation between the amount of secret key extracted 
from matched measurement outcomes and that from 
mismatched ones. We shall show that we cannot ex- 
tract secret key from both matched and mismatched 
measurement outcomes by the; c;ntropic version [8] of 
the uncertainty principle, when we use the information 
reconciliation and privacy amplification in [12] and the 
lower bound on its key rate in [4]. Note that Koashi 
already used the uncertainty principle for security anal- 
ysis of QKD protocols [6]. 

Maasscn and Uffink [8] (see also Box 11.1 of [9]) 
proved the following version of uncertainty principle in 
terms of the Shannon entropy. Let p be a density oper- 
ator of a qubit. Let Poi (resp. ) be the probability 

distribution of the measurement outcome by measuring 
p by {|0), ]1)} (resp. {|-|-), [-)}). Let H{-) denotes the 

Shannon entropy. Then we have H{Poi) + H(P^ ) > 1 

as described at Eq. (11.3) in [9], where the entropy is 
counted in the unit of bits. 

Let F be the memoryless quantum channel that 
represents Eve's manipulation and the channel noise 
between Alice and Bob. F is a map between density 
operators. Define 

px- = (+|r(|-)(-|)|+), 
PX+ = (-|r(|+)(+|)|-), 

qxi = (+|F(|1)(1|)|+), 
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qxo 


= (-|r(|o)(o|)h) 


Pzi 


= (o|r(|i)(i|)|o), 


Pzo 


= (i|r(|o)(o|)|i), 


Qz- 


= (o|r(|-)(-|)|o) 


qz+ 


= (i|r(|+)(+|)|i) 



Observe that qx = {qxo + 9xi)/2 and qz = {qz+ + 
qz-)/2, where qx and qz are as defined in Eqs. (1) and 
(2). 

Define px = {px+ + Px-)/2 and pz = {pzo + 
Pzi)/2. Observe that pz (resp. px) is the error rate of 
the matched measurement in the BB84 protocol when 
transmitting basis is {|0), |1)} (resp. {|+), |— )})• The 
lower bound on key rate of the plain one-way postpro- 
cessing described in [12] is given by 1 — h(px) — h{pz) 
[4]. 

From the cntropic uncertainty principle reviewed 
at the beginning of this section, we have 



Hpx+) + h{qz+) > 1, 

h{px-)+h{qz-) > 1, 

h{pzo) + h{qxo) > 1, 

h{pzi) + Kqxi) > 1. 

By the concavity of the entropy function 



(6) 
(7) 
(8) 
(9) 



Hpx) = h (^^^^^) > ^(^^+)+^(^--) , (10) 



h{qz) = h 



qz+ + qz- 



> h{qz+) + h{qz-) ^^^^ 



Kpz) = h lP^^+E^\ > MPzo) + Mm) ^ (12) 



%;,) = Mg^° + g^M > Mgxo) + %xi)_ (13^ 



Applying Eqs. (10) and (11) to the sum of Eqs. (6) and 
(7) divided by two, we obtain 

Kpx) + h{qz) > 1. (14) 
Prom Eqs. (8, 9, 12, 13) in a similar manner we obtain 

Kpz) + h{qx) > 1. (15) 
Equations (14) and (15) imply 

[1 - h{px) - h{pz)] + [1 - h{qx) - h{qz)] < 0. (16) 

The first term in Eq. (16) is the lower bound on key 
rate of the matched measurement in the BB84 proto- 
col, while the second term is that of the mismatched 
measurement. Equation (16) means that both lower 
bounds on key rates cannot be simultaneously positive. 

5. Concluding remarks 

We proposed a variant of the BB84 protocol that ex- 
tracts secret key from measurement outcomes with 



which measuring bases arc different from transmitting 
bases, obtained a lower bound on the key rate which has 
a similar form to that of the standard BB84 protocol, 
and verified its unconditional security. After that, we 
showed that the lower bounds on the key rates available 
from matched and mismatched measurements cannot 
be simultaneously positive. 

Our result generates a number of interesting re- 
search questions. Firstly, the well-known upper bound 
(Table I in [4]) on the key rates of the BB84 proto- 
col [12] is expressed in terms of error rates for matched 
measurements with which measuring bases are the same; 
as the transmitting bases. If both error rates for the 
matched bases are 0.5, for example the Hadamard ma- 
trix is applied to every qubit, then those upper bounds 
state that we cannot extract secret key. However, our 
proposed variant of the BB84 protocol can extract se- 
cret key in such case. It is desirable to have an upper 
bound on the amount of available secret key taking into 
account mismatched measurement in the BB84 proto- 
col. 

Secondly, we could not disprove the possibility that 
we can extract secret key from both matched and mis- 
matched measurements by more sophisticated postpro- 
cessing of the BB84 protocol such as Refs. [4], [7], [11], 
[15]. It is desirable to prove or disprove such possibility. 

Thirdly, in the standard BB84 protocol, it is gen- 
erally believed that we can postprocess bits transmit- 
ted by {)0), [1)} basis and {[-I-), ]— )} basis separately 
without decreasing the key rate. The proposed vari- 
ant of the BB84 protocol separately postprocess bits 
obtained by matched measurements and mismatched 
ones, because the matched measurement outcomes are 
processed with the standard BB84 protocol separately. 
It is not clear whether or not such separate processing 
of matched and mismatched measurement outcomes de- 
creases the total amount of secret key. We leave these 
questions as future research agenda. 
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